Compare commits
3 commits
7ec3d37186
...
5ddaa5e385
Author | SHA1 | Date | |
---|---|---|---|
Akemi Izuko | 5ddaa5e385 | ||
Akemi Izuko | f679eaf2d1 | ||
Akemi Izuko | aa9c63256d |
|
@ -189,3 +189,5 @@ how much impact they have in a retrospective:
|
||||||
- **2024-03-27**: DataBricks open sources DBRX, a 132B parameter MoE with 36B
|
- **2024-03-27**: DataBricks open sources DBRX, a 132B parameter MoE with 36B
|
||||||
parameters active per forward pass. It was trained on 12T tokens. According
|
parameters active per forward pass. It was trained on 12T tokens. According
|
||||||
to user evaluation, it beats Mixtral for all uses.
|
to user evaluation, it beats Mixtral for all uses.
|
||||||
|
- **2024-04-18**: Meta releases LLaMA3 8b and 70b. 70b is the new best open
|
||||||
|
model, right around Claude3 Sonnet and above older gpt4 versions!
|
||||||
|
|
|
@ -24,25 +24,25 @@ easily get *inward* access to any port.
|
||||||
|
|
||||||
The easiest method, and probably recommended for most users, is using Software
|
The easiest method, and probably recommended for most users, is using Software
|
||||||
Driven WAN (SDWAN). This is similar to a VPN, but unlike Wireguard, ZeroTier One
|
Driven WAN (SDWAN). This is similar to a VPN, but unlike Wireguard, ZeroTier One
|
||||||
doesn't [[1]] require a centralized server.
|
doesn't<sup>1</sup> require a centralized server.
|
||||||
|
|
||||||
Advantages:
|
Advantages:
|
||||||
- Free version is good enough for most small groups
|
|
||||||
- Very simple setup
|
- Very simple setup
|
||||||
- Very fast through UDP hole-punching
|
- Very low latency through UDP hole-punching
|
||||||
|
- Free (for up to 25 clients)
|
||||||
|
|
||||||
Drawbacks:
|
Drawbacks:
|
||||||
- Limit of 25 clients (on the [free
|
|
||||||
version](https://www.zerotier.com/pricing/))
|
|
||||||
- Requires installing separate software on all clients
|
- Requires installing separate software on all clients
|
||||||
- Sometimes fails to connect for up to an hour... very hard to debug when it
|
- Sometimes fails to connect for up to an hour... very hard to debug when it
|
||||||
happens
|
happens
|
||||||
- Can only be used by clients on the VPN. For example, a public webserver won't
|
- Can only be used by clients on the VPN. For example, a public webserver won't
|
||||||
be able to use this
|
be able to use this
|
||||||
|
- Limit of 25 clients (on the [free
|
||||||
|
version](https://www.zerotier.com/pricing/))
|
||||||
|
|
||||||
To use ZeroTier:
|
To use ZeroTier:
|
||||||
1. Sign up for an account at [zerotier.com](https://www.zerotier.com/)
|
1. Sign up for an account at [zerotier.com](https://www.zerotier.com/)
|
||||||
2. Under "Networks" create a network and give it a name. Ensure access control
|
2. Under "Networks" create a network and give it a name. Ensure Access Control
|
||||||
is private.
|
is private.
|
||||||
3. Install ZeroTier One on all clients you'd like to connect. You can add more
|
3. Install ZeroTier One on all clients you'd like to connect. You can add more
|
||||||
later.
|
later.
|
||||||
|
@ -168,3 +168,171 @@ ssh -p 8022 emiliko@172.27.10.10
|
||||||
```
|
```
|
||||||
|
|
||||||
This will be forwarded to port 22 on the server!
|
This will be forwarded to port 22 on the server!
|
||||||
|
|
||||||
|
## Reverse Proxy without a Static IP
|
||||||
|
|
||||||
|
If you're planning to use a home computer, you'll quickly find that most
|
||||||
|
internet service providers do not offer static IPs for consumer plans. Luckily,
|
||||||
|
there's a very simple way around this: Domain Name Servers (DNS).
|
||||||
|
|
||||||
|
You will need a domain to achieve this. Domains should not cost more than
|
||||||
|
$20/year. Here I'll use the domain `example.com` as an example.
|
||||||
|
|
||||||
|
The idea is that a domain will point to a specific IP, but this IP is determined
|
||||||
|
through a lookup to the DNS. This means that if we change the IP the DNS has
|
||||||
|
every time our computer's IP changes, we'll appear to have a static IP!
|
||||||
|
|
||||||
|
First, put your nameservers on a good DNS provider. I use
|
||||||
|
[Cloudflare](https://pages.cloudflare.com/), it's free and fast. You'll need to
|
||||||
|
find the DNS page. The URL will look something like:
|
||||||
|
|
||||||
|
```
|
||||||
|
https://dash.cloudflare.com/<long-project-id>/example.com/dns/records
|
||||||
|
```
|
||||||
|
|
||||||
|
There, you'll want to add an "A Record". The name will be the subdomain. So if
|
||||||
|
my computer is called `mycomputer` and that's in the name field, it'll be
|
||||||
|
accessible at `mycomputer.example.com`.
|
||||||
|
|
||||||
|
Now you need to identify your IP address. This is your PUBLIC IP address, not
|
||||||
|
your LOCAL IP address. One easy way to do this is `curl -q
|
||||||
|
https://ifconfig.me/ip`.
|
||||||
|
|
||||||
|
Make sure "Proxy Status" is OFF. Proxying the connection appears to make this
|
||||||
|
whole idea break down very quickly, so don't.
|
||||||
|
|
||||||
|
With that "A Record" set, try `host mycomputer.example.com` to see when the DNS
|
||||||
|
updates. This can take up to 4 hour, but usually takes under a minute in
|
||||||
|
practice. With this, you should be able to access your computer using the
|
||||||
|
domain! Of course, make sure your router's ports are forwarding to your
|
||||||
|
computer.
|
||||||
|
|
||||||
|
We now need to make your computer update Cloudflare's DNS, whenever the IP
|
||||||
|
changes. I use the script below to do this. Fill in the `HOST`, `DOMAIN`,
|
||||||
|
`TOKEN`, `ZONE_ID`. The `TOKEN` is your Cloudflare application token:
|
||||||
|
|
||||||
|
```bash
|
||||||
|
#!/usr/bin/env bash
|
||||||
|
declare wan_ip_record wan_ip cf_records host_record cf_host_ip cf_rec_id
|
||||||
|
|
||||||
|
declare -r HOST='mycomputer'
|
||||||
|
declare -r DOMAIN='example.com'
|
||||||
|
declare -r TOKEN='...'
|
||||||
|
declare -r ZONE_ID='...'
|
||||||
|
|
||||||
|
#╔─────────────────────────────────────────────────────────────────────────────╗
|
||||||
|
#│ Gετ WΛN IP |
|
||||||
|
#╚─────────────────────────────────────────────────────────────────────────────╝
|
||||||
|
if ! wan_ip_record="$(curl ifconfig.me)"; then
|
||||||
|
echo "Hosts timed out" >&2
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
|
||||||
|
wan_ip="$wan_ip_record"
|
||||||
|
#wan_ip="$(echo "$wan_ip_record" | tail -n1 | awk '{ split($0, a, " "); print a[4] }')"
|
||||||
|
|
||||||
|
#╔─────────────────────────────────────────────────────────────────────────────╗
|
||||||
|
#│ Gετ Λ rεcδrd δη Clδμdflαrε |
|
||||||
|
#╚─────────────────────────────────────────────────────────────────────────────╝
|
||||||
|
if ! cf_records="$(curl -s --request GET \
|
||||||
|
--url https://api.cloudflare.com/client/v4/zones/${ZONE_ID}/dns_records \
|
||||||
|
--header 'Content-Type: application/json' \
|
||||||
|
--header "Authorization: Bearer $TOKEN")"
|
||||||
|
then
|
||||||
|
echo "Failed to retrive cloudflare zone records" >&2
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
|
||||||
|
for i in {0..4000}; do # Assuming 4000 is enough
|
||||||
|
record="$(echo "$cf_records" | jq --raw-output ".result[${i}].name")"
|
||||||
|
|
||||||
|
if [[ "$record" == "${HOST}.${DOMAIN}" ]]; then
|
||||||
|
host_record="$(echo "$cf_records" | jq -r ".result[${i}]")"
|
||||||
|
break
|
||||||
|
elif [[ "$record" == null ]]; then
|
||||||
|
echo "No record found for ${HOST}.${DOMAIN}" >&2
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
|
||||||
|
#╔─────────────────────────────────────────────────────────────────────────────╗
|
||||||
|
#│ Sετ Λ rεcδrd τδ cμrrεητ WΛN |
|
||||||
|
#╚─────────────────────────────────────────────────────────────────────────────╝
|
||||||
|
cf_host_ip="$(echo "$host_record" | jq -r '.content')"
|
||||||
|
cf_rec_id="$(echo "$host_record" | jq -r '.id')"
|
||||||
|
|
||||||
|
if [[ -z "$cf_host_ip" || "$cf_host_ip" == null ]]; then
|
||||||
|
echo "Failed to find content of A record for ${HOST}.${DOMAIN}" >&2
|
||||||
|
exit 1
|
||||||
|
elif [[ -z "$cf_rec_id" || "$cf_rec_id" == null ]]; then
|
||||||
|
echo "Failed to find A record ID for ${HOST}.${DOMAIN}" >&2
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
|
||||||
|
if [[ "$cf_host_ip" == "$wan_ip" ]]; then
|
||||||
|
echo "Cloudflare is up to date @ $(date)" >&2
|
||||||
|
else
|
||||||
|
echo "Updating Cloudflare's A record from $cf_host_ip to $wan_ip" >&2
|
||||||
|
|
||||||
|
patch_response="$(curl -s --request PATCH \
|
||||||
|
--url "https://api.cloudflare.com/client/v4/zones/${ZONE_ID}/dns_records/${cf_rec_id}" \
|
||||||
|
--header 'Content-Type: application/json' \
|
||||||
|
--header "Authorization: Bearer $TOKEN" \
|
||||||
|
--data '{
|
||||||
|
"comment": "'"${HOST} @ $(date)"'",
|
||||||
|
"content": "'"$wan_ip"'",
|
||||||
|
"name": "'"${HOST}.${DOMAIN}"'",
|
||||||
|
"proxied": false,
|
||||||
|
"ttl": 1
|
||||||
|
}')"
|
||||||
|
|
||||||
|
if [[ "$(echo "$patch_response" | jq -r '.success')" == true ]]; then
|
||||||
|
echo "Update to $wan_ip succeeded @ $(date)" >&2
|
||||||
|
else
|
||||||
|
echo "Failed to update A record. DUMP:"
|
||||||
|
echo "$patch_response"
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
```
|
||||||
|
|
||||||
|
Now we need a systemd-timer to run this script. I run it once every 15 minutes.
|
||||||
|
Please refer to the [systemd-timers]() blog for more information, but breifly I
|
||||||
|
use:
|
||||||
|
|
||||||
|
```ini
|
||||||
|
[Unit]
|
||||||
|
Wants=update_a_record.timer
|
||||||
|
Wants=network-online.target
|
||||||
|
After=network-online.target
|
||||||
|
|
||||||
|
[Service]
|
||||||
|
Type=oneshot
|
||||||
|
ExecStart=/usr/local/bin/set_a_records.sh
|
||||||
|
```
|
||||||
|
|
||||||
|
Timer:
|
||||||
|
|
||||||
|
```ini
|
||||||
|
[Unit]
|
||||||
|
Requires=update_a_record.service
|
||||||
|
|
||||||
|
[Timer]
|
||||||
|
Unit=update_a_record.service
|
||||||
|
OnCalendar=*-*-* *:00,15,30,45:00
|
||||||
|
RandomizedDelaySec=15min
|
||||||
|
|
||||||
|
[Install]
|
||||||
|
WantedBy=timers.target
|
||||||
|
```
|
||||||
|
|
||||||
|
Then start it with `systemctl enable update_a_record.service`. The name of the
|
||||||
|
service will be different based on what you called the files.
|
||||||
|
|
||||||
|
Now to use this for reverse-proxy purposes, go back to your `client.toml` config
|
||||||
|
and update the `remote_addr`:
|
||||||
|
|
||||||
|
```toml
|
||||||
|
[client]
|
||||||
|
remote_addr = "mycomputer.example.com:9001"
|
||||||
|
```
|
||||||
|
|
|
@ -8,7 +8,7 @@ updateDate: 'March 28 2024'
|
||||||
|
|
||||||
Passwords are often the main method of digital identification. This means
|
Passwords are often the main method of digital identification. This means
|
||||||
anything you don't want others to access but do want yourself to access is
|
anything you don't want others to access but do want yourself to access is
|
||||||
behind some sort of password. This means we need to optimize on two fronts:
|
behind some sort of password. We need to optimize on two fronts:
|
||||||
|
|
||||||
- Easy of access: Passwords must be quick and easy to access and use
|
- Easy of access: Passwords must be quick and easy to access and use
|
||||||
- High security: Passwords must be strong to resist attacks
|
- High security: Passwords must be strong to resist attacks
|
||||||
|
@ -20,8 +20,8 @@ the way we'll learn a lot about password security in general!
|
||||||
|
|
||||||
## Optimizing for high-security
|
## Optimizing for high-security
|
||||||
|
|
||||||
A password is pretty pointless if it's not strong enough to be cracked. Let's
|
A password is pretty pointless if it's not strong enough to not get cracked.
|
||||||
look over some core security concepts!
|
Let's look over some core security concepts!
|
||||||
|
|
||||||
### Measuring Bits of Entropy
|
### Measuring Bits of Entropy
|
||||||
|
|
||||||
|
@ -148,7 +148,7 @@ result of the output space being lower dimensional than any password with higher
|
||||||
entropy, so any "stronger" password would be projected down to only 256 bits of
|
entropy, so any "stronger" password would be projected down to only 256 bits of
|
||||||
entropy.
|
entropy.
|
||||||
|
|
||||||
We can also look at how fast computers can brute-force passwords.
|
We can also look at how quickly computers can brute-force passwords.
|
||||||
[Bcrypt](https://en.wikipedia.org/wiki/Bcrypt) is one of the most popular
|
[Bcrypt](https://en.wikipedia.org/wiki/Bcrypt) is one of the most popular
|
||||||
hashing choices for passwords. Assuming a company is decently secure, they use
|
hashing choices for passwords. Assuming a company is decently secure, they use
|
||||||
enough rounds of hashing such that a modern processor takes about 100ms to hash
|
enough rounds of hashing such that a modern processor takes about 100ms to hash
|
||||||
|
@ -348,11 +348,10 @@ example, if a phone camera records you typing on your keyboard to decrypt the
|
||||||
GPG key, the attacker can't do *anything* with that password alone. They still
|
GPG key, the attacker can't do *anything* with that password alone. They still
|
||||||
need physical access to your system to grab the files themselves.
|
need physical access to your system to grab the files themselves.
|
||||||
|
|
||||||
An odd benefit of 3-factor authentication is distributing backups. If you
|
An odd benefit of 3-factor authentication is distributing backups. You can
|
||||||
provide people who know you, but mutually don't know one another, you can safely
|
distribute the 3 pieces between 3 third parties you trust. So long as they don't
|
||||||
entrust your passwords with third parties. This is since they need all 3 pieces
|
know each other, having 1/3 pieces doesn't compromise your security, especially
|
||||||
to mount an attack, so giving a trusted third party only 1 piece doesn't
|
if you trust them.
|
||||||
compromise your security.
|
|
||||||
|
|
||||||
Malware *could* be both a key logger and grab the files from
|
Malware *could* be both a key logger and grab the files from
|
||||||
`~/.password-store`, but that is some very sophisticated and targeted
|
`~/.password-store`, but that is some very sophisticated and targeted
|
||||||
|
|
Loading…
Reference in a new issue